An analysis of the RomCom APT shows the group is expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

The RomCom threat group is actively using trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to target various English-speaking countries — especially the UK — with a remote access Trojan (RAT). It's a departure in tactics, techniques, and procedures for the advanced persistent threat (APT).

During an analysis of a previous RomCom RAT campaign against the Ukraine military that used fake Advanced IP Scanner software to deliver malware, the threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations. The researchers determined the UK and other English-speaking countries were new RomCom targets based on the analysis of the terms of service and the SSL certificates of a new command-and-control server, which was registered in the UK.

Dmitry Bestuzhev, distinguished threat researcher with BlackBerry, tells Dark Reading that the UK is now actually one of the biggest RomCom targets, based on Blackberry's analysis.

"It's predictable, since the US and UK have been the most active supporters of Ukraine in the war with Russia," Bestuzhev says.

Once dropped, the RomCom RAT is designed to exfiltrate any sensitive data or passwords.

"Information is valuable, and when it's strategic, it helps the attacker build better offensive strategies and take advantage in any domain," Bestuzhev adds. "Geopolitics will set new targets. Since RomCom has been widely exposed, it's reasonable to believe the group behind it might change their TTPs."

This isn't the first shift in strategy for the group. "When RomCom was discovered, it was publicly associated with ransomware," Bestuzhev says. "The most recent campaigns prove that the motivation of this threat actor is not money. There is a geopolitical agenda that defines the new targets."

**RomCom RAT's Wrap**

The trojanizing scheme isn't terribly complicated, the BlackBerry team explained in its report.

RomCom scrapes the code from the software vendor the APT wants to use, registers a malicious domain that's likely to trick the user with typosquatting or similar tactics, trojanizes the real application, and then uploads the malware to the spoofed site. It then sends a phishing lure to the intended target through various channels, and boom — target compromised.

The wrapping approach isn't new, Andrew Barratt, vice president with Coalfire, tells Dark Reading; other APTs and groups like FIN7 have used similar tactics.

"This attack looks like it's a direct copycat of some attacks we investigated during the pandemic, where we saw a number of vendor products support tools being mimicked or 'wrapped' with malware," Barratt says. "The 'wrapping' process means that the underlying legitimate tool is still deployed, but as part of that deployment, some malware is dropped into the target environment."

**RomCom Targeting Humans**

To defend against RomCom attacks, Mike Parkin, senior technical engineer with Vulcan Cyber, recommends forgetting about the state espionage aspect of the campaign and instead focusing on social engineering and the true targets — individuals.

"With the current geopolitical situation, it's quite likely there is a state-level involvement behind the scenes. At its core, though, this is an attack against human targets," Parkin explains to Dark Reading. "They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface."

RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software

Operations at the world's most expensive ground-based telescope, high in the Atacama Desert, remain disrupted.

The Atacama Large Millimeter Array (ALMA) astronomical observatory in Chile became an unlikely target for a cyberattack this week when unknown assailants knocked its systems offline. The ALMA may not be a household name, but it has a marquee role on the international academic stage, which might explain why it was targeted.

The ALMA is a radio telescope, located 5,000 meters above sea level in the unpopulated, geoglyph-laden expanse of the Atacama Desert. There, the conditions are uniquely suited for its mission: imaging early star and planet formation, and offering clues to the origins of the universe. It's maintained in international partnership between Canada, Chile, the EU, Japan, South Korea, Taiwan, and the United States, and, built at the cost of $1.4 billion, is the most expensive terrestrial-based telescope in existence.

The attack, which happened last weekend, has forced "the suspension of astronomical observations and the public website," the observatory said in a statement on Wednesday. "There are limited email services at the observatory. ... The attack did not compromise the ALMA antennas or any scientific data. Given the nature of the episode, it is not yet possible to estimate a timeline for a return to regular activities."

At press time, portions of the website were functioning, but a banner on the site reads, "A number of ALMA online services are currently unavailable — work is in progress to remedy this situation," adding, "replying to tickets by email is currently unavailable."

While the nature of the malware used is unknown, motivations could be myriad. Scientific research is no stranger to targeting by nation-states looking for a competitive edge; and, of course, a victim of this caliber in astronomy circles is a good tool for a ransomware gang to use to burnish its Dark Web reputation.

Research telescopes have also been attacked in the past, seemingly for the lulz: In 2017, Australia's Zadko telescope was knocked offline, almost preventing it from capturing an anticipated, once-in-a-lifetime collision between two neutron stars in deep space.

Awareness that this academic sector is a target for cyberattackers is growing. Some telescopes have taken precautions, such as the National Radio Astronomy Observatory (NRAO) in Indiana, which has contracted the National Science Foundation's ResearchSOC to provide cybersecurity protection.

Cyberattackers Focus In on State-of-the-Art ALMA Observatory

The solution lies in analyzing sequences of activities as user journeys, instead of analyzing each activity on its own.

Historically, enterprise organizations have not sufficiently monitored their employees' activities within internal business applications. They were essentially (and blindly) trusting their employees. This trust has unfortunately caused severe business damage due to the actions of some malicious insiders.

Monitoring is hard when existing solutions for detecting malicious activities in business applications are mainly based on rules that have to be written and maintained separately for each application. This is because each application has a bespoke set of activities and log formats. Rules-based detection solutions also generate many false positives (i.e., false alerts) and false negatives (i.e., malicious activities go undetected).

Detection needs to be agnostic to the meaning of an application's activities so it can be applied to any business application.

The solution to this challenge lies is in analyzing sequences of activities instead of analyzing each activity on its own. This means we should analyze user journeys (i.e., sessions) to monitor authenticated users in business applications. A detection engine learns all typical journeys for each user, or cohort, and uses them to detect a journey that deviates from typical journeys.

The two main challenges a detection engine needs to address are:

1.  Each application has a different set of activities and log format.
2.  We need to accurately learn typical user journeys in each application and across applications.

**Standardizing the Detection Model**

In order to apply one detection model to any application layer log, we can extracting from each journey the following three sequence-based features (i.e., characteristics):

1.  The set of activities, each denoted by numeric codes.
2.  The order in which activities were performed in the session.
3.  Time intervals between activities during the session.

These three characteristics can be applied to _any_ application session, and even to sessions across applications.

The figure below illustrates the three characteristics of a user journey based on five activities, each denoted by a number, as the activity is a numeric code from the model's perspective.

    

**Learning Typical User Journeys Across Apps**

As explained above, the detection of abnormal journeys is based on learning _all_ typical user journeys. Clustering technology groups similar data points to learn these user journeys and generate a typical user journey for each group of similar journeys. This process runs continuously as new log data becomes available.

Once the system learns the journeys typical to the user, the detection solution can check every new journey to see whether it is similar to a previously-learned one. If the current journey does not resemble past sessions, the solution flags it as an anomaly. It's also possible to compare the current journey against journeys associated with the cohort the user belongs to.

A detection solution must be based on an extremely accurate clustering engine tailored for sequence clustering, while still remaining almost linear in the number of journeys it clusters and not requiring prior knowledge as to how many clusters to generate. In addition, it has to detect outliers, remove them from the data set to enhance clustering accuracy, and identify these outliers as anomalies. That's how the clustering engine that generates groups of similar user journeys can also detect abnormal user journeys in historical data and report them as anomalies.

Detecting Malicious User Behavior Within and Across Applications

Threat actors continue to push malicious Python packages to the popular PyPI service, striking with typosquatting, authentic sounding file names, and hidden imports to fool developers and steal their information.

Attackers continue to create fake Python packages and use rudimentary obfuscation techniques in an attempt to infect developers' systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers' systems.

According to an advisory published this week by software supply chain firm Phylum, a threat actor has created 29 clones of popular software packages on Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names similar to legitimate packages, a practice known as typosquatting. If a developer downloads and loads the malicious packages, the setup script also installs — through a number of obfuscated steps — the W4SP Stealer Trojan. The packages have accounted for 5,700 downloads, researchers said.

While W4SP Stealer targets cryptocurrency wallets and financial accounts, the most significant objective of the current campaigns appears to be developer secrets, says Louis Lang, co-founder and CTO at Phylum.

"It's not unlike the email phishing campaigns we are used to seeing, only this time attackers are solely targeting developers," he says. "Considering developers often hold access to the crown jewels, a successful attack can be devastating for an organization."

The attacks on PyPI by the unknown actor, or group, are just the latest threats to target the software supply chain. Open source software components distributed through repository services, such as PyPI and the Node Package Manager (npm), are a popular vector of attacks, as the number of dependencies imported into software has grown dramatically. Attackers attempt to use the ecosystems to distribute malware to unwary developers' systems, as happened in a 2020 attack on the Ruby Gems ecosystem and attacks on the Docker Hub image ecosystem. And in August, security researchers at Check Point Software Technologies found 10 PyPI packages that dropped information-stealing malware. 

In this latest campaign, "these packages are a more sophisticated attempt to deliver the W4SP Stealer onto Python developer's machines," Phylum researchers stated in their analysis, adding: "As this is an ongoing attack with constantly changing tactics from a determined attacker, we suspect to see more malware like this popping up in the near future."

**PyPI Attack Is a "Numbers Game"**

That attack takes advantage of developers who mistakenly mistype the name of a common package or use a new package without adequately vetting the source of the software. One malicious package, named "typesutil," is just a copy of the popular Python package "datetime2," with a few modifications.

Initially, any program that imported the malicious software would run a command to download malware during the setup phase, when Python loads dependencies. However, because PyPI implemented certain checks, the attackers started using whitespace to push the suspicious commands outside of the normal viewable range of most code editors.

"The attacker changed tactics slightly, and instead of just dumping the import in an obvious spot, it was placed waaaaay off screen, taking advantage of Python's seldomly used semicolon to sneak the malicious code onto the same line as other legitimate code," Phylum stated in its analysis.

While typosquatting is a low-fidelity attack with only rare successes, the effort costs attackers little compared to the potential reward, says Phylum's Lang.

"It's a numbers game with attackers polluting the package ecosystem with these malicious packages on a daily basis," he says. "The unfortunate reality is that the cost to deploy one of these malicious packages is extremely low relative to the potential reward."

**A W4SP That Stings**

The eventual goal of the attack is to install the "information-stealing Trojan W4SP Stealer, which enumerates the victim's system, steals browser-stored passwords, targets cryptocurrency wallets, and searches for interesting files using keywords, such as 'bank' and 'secret,'" says Lang.

"Aside from the the obvious monetary rewards of stealing cryptocurrency or banking information, some of the pilfered information could be used by the attacker to further their attack by giving access to critical infrastructure or additional developer credentials," he says.

Phylum has made some progress in identifying the attacker and has sent reports to the companies whose infrastructure is being used.

W4SP Stealer Stings Python Developers in Supply Chain Attack

Companies combine award-winning data security with the hot cloud storage service.

**CLINTON, N.J., Nov. 3, 2022 /PRNewswire/** —

Calamu

, a pioneer in data-first security and cyberstorage, today announced a partnership with

Wasabi Technologies

, the

hot cloud storage company

. Together the companies provide enterprise organizations with highly secure and affordable data storage vaults by combining Calamu Protect and Wasabi cloud storage.

Many organizations are turning to public cloud to keep up with growing data  
volumes and to power business-critical enterprise applications. A key component  
is data security, requiring IT organizations to integrate a multilayered  
approach to protect data from ransomware and other cybersecurity threats.

Wasabi hot cloud storage offers high performance data storage with

object level immutability

that ensures data cannot be altered in any way. Priced significantly less than large hyperscale providers or on-premises storage options, Wasabi customers benefit from predictable pricing with no fees for egress or API requests. Calamu Protect turns Wasabi-powered data storage into a highly secure

cyberstorage vault

, adding patented data processing and award-winning security features.

"The combination of Calamu and Wasabi offers a highly secure cloud storage  
solution, one that prevents data from being stolen or leaked while  
simultaneously boosting reliability and durability of stored data," said Jeff  
Weinstein, President & COO at Calamu. "Together, the integrated solution enables  
enterprises to store data in the cloud without risk that it can be lost, stolen,  
maliciously encrypted, or held for ransom."

Complementing existing IT security frameworks, Calamu Protect bridges the gap  
between perimeter defenses and reactionary recovery solutions. The technology  
will automatically detect suspicious anomalies and self-heal the environment,  
ensuring sensitive data stays out of enemy hands and remains available for  
business operations.

"Organizations are increasingly relying on the cloud to drive business-critical  
operations, underpinned by affordable and secure storage," said David Boland, VP  
of Cloud Strategy, Wasabi Technologies. "Integrating Calamu Protect with Wasabi  
hot cloud storage provides an advanced layer of data and information security  
while mitigating the risk of internal and external threats."

**Available Today**

Calamu Protect with Wasabi is available today. For more information, read the

Solution Brief

.

**About Wasabi Technologies**

Wasabi provides simple, predictable, and affordable hot cloud storage for  
businesses all over the world. It enables organizations to store and instantly  
access an unlimited amount of data at 1/5th the price of the competition with no  
complex tiers or unpredictable egress fees. Trusted by tens of thousands of  
customers worldwide, Wasabi has been recognized as one of technology's  
fastest-growing and most visionary companies. Created by Carbonite co-founders  
and cloud storage pioneers David Friend and Jeff Flowers, Wasabi is a privately  
held company based in Boston. Wasabi is a Proud Partner of the Boston Red Sox,  
and the Official Cloud Storage Partner of Liverpool Football Club and the Boston  
Bruins. Follow and connect with Wasabi on

Twitter

,

Facebook

,

Instagram

, and

The Bucket

.

**About Calamu**

Calamu was founded by experts in cybersecurity and data protection with the  
mission of making the cyber world a safer place. The company is pioneering the  
use of cyberstorage and data-first technology to automatically mitigate the  
impact of a ransomware attack or data breach, whether data is stored in the  
cloud, on-premises, or in a hybrid environment. The Calamu platform enables  
businesses to maintain complete ownership of their data, preventing unauthorized  
access and dramatically simplifying regulatory requirements around data privacy  
and protection. For more information on Calamu follow on

Linkedin

or visit

www.calamu.com

.  
**  
SOURCE:** Calamu Technologies Corporation

Calamu Partners With Wasabi Technologies to Deliver Cloud Storage Vaults

The boot camp is for aspiring security analysts, network consultants, and penetration testers.

**SAN FRANCISCO****, Nov. 4, 2022 /PRNewswire/** — **Simplilearn,** _a global digital skills training provider,_ announced its partnership with the University of California, Irvine Division of Continuing Education (UCI DCE) for a **Cybersecurity boot camp**. The boot camp will provide expertise on offensive and defensive enterprise cybersecurity and give information on malware analysis, ethical hacking, securing applications, and the like. The cybersecurity boot camp is best suited for aspiring security analysts, network consultants, penetration testers, and aspirants for other related roles. To apply for the program, the learner should be at least 18 years and have a high school diploma or equivalent. Work experience is preferable but not mandatory; likewise, prior knowledge of programming is not required to apply for the boot camp.

This comprehensive program focuses on topics such as Web Application Penetration Testing, Application Security, Ethical Hacking, Threat Hunting, Malware and Ransomware Analysis, Cryptography, and Infrastructure Security. Learners will have the opportunity to interact with industry experts. They will receive masterclasses from UCI DCE instructors, six months of applied learning consisting of 10+ hands-on projects and 35+ demonstrations on integrated labs, access to cybersecurity labs, and more than 30 continuing education units (CEUs) from UCI DCE to demonstrate a commitment to ongoing learning and keep avenues to future opportunities open.

Ransomware and Malware Analysis teaches learners to detect, analyze and protect businesses from ransomware attacks. Ethical Hacking and VAPT provides hands-on training to master the techniques hackers use to penetrate network systems and understand the finer nuances of advanced hacking concepts, penetration testing and vulnerability assessment. The cybersecurity boot camp capstone project gives learners an opportunity to implement the skills learned in the boot camp. It will teach problem-solving for real-world industry challenges and enable learners to showcase their expertise to prospective employers.

Speaking on the program, **Mr. Anand Narayanan, Chief Product Officer, Simplilearn,** said, _"The rapid expansion of technology has made us more vulnerable to cyber-attacks, and the need for security online has increased multi-fold. Cybersecurity helps businesses protect information from unpleasant data breach incidents. To have a multi-layered level of protection, companies must understand the importance of cybersecurity; today, most organizations are focused on tightening their online security. With the relevance of this skill in mind, we are happy to partner with the University of California, Irvine Division of Continuing Education for the Cybersecurity boot camp. This partnership will help learners grasp the concepts and skills required to protect businesses from cyber-attacks."_

Speaking on the partnership, **Ms. Julie Pai, Assistant Director of Technology Programs, UCI DCE,** said, _"Organizations, irrespective of size and capacity, face the threat of cyber-attacks. With technological advancements happening at a rapid pace, the challenges of such instances are inevitable. The monetary impact of data breaches aside, the effect of these attacks on the brand and the business is of significant concern. We are happy to partner with Simplilearn to address this skill requirement and co-deliver the professional program on Cybersecurity. We are confident that the knowledge provided through this boot camp will significantly boost the learners' careers."_

The boot camp will start with an orientation session, followed by a module on Enterprise Infrastructure Security that will enable the learners to gain knowledge and skills in a series of advanced and current concepts in cybersecurity. The Application and Web Application Security module will help learners understand the skills of OWASP tools and methodologies, clickjacking, black box, fuzzing, symmetric/asymmetric cryptography, hashing, digital signatures, patch management and much more.

Simplilearn conducts more than 3,000 live classes, with an average of 70,000 learners who together spend more than 500,000 hours each month on the platform. Programs offered by Simplilearn give learners the opportunity to upskill and get certified in popular domains.

**About UCI DCE**

UC Irvine Division of Continuing Education (UCI DCE) was established in 1962 and has served the lifelong learning and career development needs of individuals, organizations, and the community on a local, regional, and global scale. Through a wide range of educational opportunities, including certificate and specialized studies programs, short courses and strategic partnerships, UCI DCE provides learning pathways for those seeking career advancement or personal enrichment.

**About Simplilearn**

Founded in 2010 and based in San Francisco, California, and Bangalore, India, Simplilearn, a Blackstone company is the world's #1 online Bootcamp for digital economy skills training. Simplilearn offers access to world-class work-ready training to individuals and businesses around the world. The Bootcamps are designed and delivered with world-renowned universities, top corporations, and leading industry bodies via live online classes featuring top industry practitioners, sought-after trainers, and global leaders. From college students and early career professionals to managers, executives, small businesses, and big corporations, Simplilearn's role-based, skill-focused, industry-recognized, and globally relevant training programs are ideal upskilling solutions for diverse career or/and business goals.

For more information, please visit https://www.simplilearn.com/

**SOURCE:** Simplilearn Solutions Private Limited

Simplilearn and the University of California, Irvine Division of Continuing Education Partner for a Cybersecurity Boot Camp

Security is more like a seat belt than a technical challenge. It's time for developers to shift away from a product-first mentality and craft defenses that are built around user behaviors.

Technology designers begin by building a product and testing it on users. The product comes first; user input is used to confirm its viability and improve upon it. The approach makes sense. McDonald's and Starbucks do the same. People can't imagine new products, just like they can't imagine recipes, without experiencing them.

But the paradigm also has been extended to the design of security technologies, where we build programs for user protection and then ask users to apply them. And this doesn't make sense.

Security isn't a conceptual idea. People already use email, already browse the Web, use social media, and share files and images. Security is an improvement that is layered over something users already do when sending emails, browsing, and sharing online. It's similar to asking people to wear a seat belt.

**Time to Look at Security Differently**

Our approach to security, though, is like teaching driver safety while ignoring how people drive. Doing this all but ensures that users either blindly adopt something, believing it's better, or on the flip side, when forced, merely comply with it. Either way, the outcomes are suboptimal.

Take the case of VPN software. These are heavily promoted to users as a must-have security and data-protection tool, but most have limited to no validity. They put users who believe in their protections at greater risk, not to mention that users take more risks, believing in such protections. Also, consider the security awareness training that is now mandated by many organizations. Those who find the training to be irrelevant to their specific use cases find workarounds, often leading to nonenumerable security risks.

There's a reason for all this. Most security processes are designed by engineers with a background in developing technology products. They approach security as a technical challenge. Users are just another action into the system, no different than software and hardware that can be programmed to perform predictable functions. The goal is to contain actions based on a predefined template of what inputs are suitable, so that the outcomes become predictable. None of this is premised on what the user needs, but instead reflects a programming agenda set out in advance.

Examples of this can be found in the security functions programmed into much of today's software. Take email apps, some of which allow users to check an incoming email's source header, an important layer of information that can reveal a sender's identity, while others don't. Or take mobile browsers, where, again, some allow users to check the SSL certificate quality while others don’t, even though users have the same needs across browsers. It's not like someone needs to verify SSL or the source header only when they're on a specific app. What these differences reflect is each programming group's distinct view of how their product should be used by the user — a product-first mentality.

Users purchase, install, or comply with security requirements believing that the developers of different security technologies deliver what they promise — which is why some users are even more cavalier in their online actions while using such technologies.

**Time for a User-First Security Approach**

It's imperative that we invert the security paradigm — put users first, and then build defense around them. This is not only because we must protect people but also because, by fostering a false sense of protection, we're fomenting risk and making them more vulnerable. Organizations also need this to control costs. Even as the economies of the world have teetered from pandemics and wars, organizational security spending in the past decade has increased geometrically.

User-first security must begin with an understanding of how people use computing technology. We have to ask: What is it that makes users vulnerable to hacking via email, messaging, social media, browsing, file sharing?

We have to disentangle the basis for risk and locate its behavioral, cerebral, and technical roots. This has been the information that developers have long ignored as they built their security products, which is why even the most security-minded companies still get breached.

**Pay Attention to Online Behavior**

Many of these questions have already been answered. The science of security has explained what makes users vulnerable to social engineering. Because social engineering targets a variety of online actions, the knowledge can be applied to explain a wide swath of behaviors.

Among the factors identified are _cyber-risk beliefs —_ ideas users hold in their mind about the risk of online actions, and _cognitive processing strategies —_ how users cognitively address information, which dictates the amount of focused attention users pay to information when online. Another set of factors are _media habits and rituals_ that are partly influenced by the types of devices and partly by organizational norms. Together, beliefs, processing styles, and habits influence whether a piece of online communication — email, message, webpage, text — triggers _suspicion_.

**Train, Measure, and Track User Suspicions**

Suspicion is that unease when encountering something, the sense that something is off. It almost always leads to information seeking and, if a person is armed with the right types of knowledge or experience, leads to deception-detection and correction. By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what made users vulnerable. This information can be quantified and converted into a risk index which they can use to identify those most at risk — the weakest links — and protect them better.

By capturing these factors, we can track how users get co-opted through various attacks, understand why they get deceived, and develop solutions to mitigate it. We can craft solutions around the problem as experienced by end users. We can do away with security mandates, and replace them with solutions that are relevant to users.

After billions spent putting security technology in front of users, we remain just as vulnerable to cyberattacks that emerged in the AOL network in the 1990s. It's time we changed this — and built security around users.

Build Security Around Users: A Human-First Approach to Cyber Resilience

The settlement muddies the waters even further for the viability of war exclusion clauses when it comes to cyber insurance.

Mondelez International, maker of Oreos and Ritz Crackers, has settled a lawsuit against its cyber insurer after the provider refused to cover a multimillion-dollar clean-up bill stemming from the sprawling NotPetya ransomware attack in 2017.

The snack giant originally brought the suit against Zurich American Insurance back in 2018, after NotPetya had completed its global cyber-ransacking of major multinational corporations, and the case has since been tied up in court. Terms of the deal have not been disclosed, but a "settlement" would indicate a compromise resolution — illustrating just how thorny an issue cyber-insurance exclusion clauses can be.

**NotPetya: Act of War?**

The lawsuit hinged on the contract terms in the cyber insurance policy — specifically, an exclusion carve-out for damages caused by acts of war.

NotPetya, which the US government in 2018 dubbed the "most destructive and costliest cyberattack in history," started out as compromising Ukrainian targets before spreading globally, ultimately impacting companies in 65 countries and costing billions in damage. It spread rapidly thanks to the use of the EternalBlue worming exploit in the attack chain, which is a leaked NSA weapon that allows malware to self-propagate from system to system using Microsoft SMB file shares. Notable victims of the attack included FedEx, shipping behemoth Maersk, and pharmaceutical giant Merck, among many others.

In the case of Mondelez, the malware locked up 1,700 of its servers and a staggering 24,000 laptops, leaving the corporation incapacitated and reeling from more than $100 million in damages, downtime, lost profits, and remediation costs.

As if that weren't tough enough to swallow, the food kahuna soon found itself choking on the response from Zurich American when it filed a cyber insurance claim: The underwriter had no intention of covering the costs, citing the aforementioned exclusion clause that included the language "hostile or warlike action in time of peace or war" by a "government or sovereign power."

Thanks to world governments' attribution of NotPetya to the Russian state, and the original mission of the attack to strike a known kinetic adversary of Moscow, Zurich American had a case — despite the fact that the Mondelez attack was certainly unintended collateral damage.

However, Mondelez argued that Zurich American's contract left some disputed crumbs on the table, as it were, given the lack of clarity in what could and could not be covered in an attack. Specifically, the insurance policy clearly stated that it would cover "all risks of physical loss or damage" — emphasis on "all" — "to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction." It's a situation that NotPetya perfectly embodies.

Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that the lack of clear cyber insurance policy-wording left the door open for Mondelez' appeal — and should act as a cautionary message to others negotiating coverage.

"The scope of coverage, and the application of war exclusions, remains one of the most challenging areas for insurers as cyber threats continue to evolve, businesses increase their dependencies on digital operations, and geopolitical tensions continue to have widespread impact," she tells Dark Reading. "It is paramount for insurers to be familiar with the terms of their policy and seek clarification where needed, but also opt for modern cyber-policies that can evolve and adapt at the pace their risk and exposures do."

**War Exclusions**

There's one glaring issue in making war exclusions stick for cyber insurance: he difficulty in proving that attacks are indeed "acts of war" — a burden that generally requires determining on whose behalf they're carried out.

In the best of cases, attribution is more of an art than a science, with a shifting set of criteria underpinning any confident finger-pointing. Rationales for advanced persistent threat (APT) attribution often rely on far more than quantifiable technology artifacts, or overlaps in infrastructure and tooling with known threats.

Squishier criteria can include aspects such as victimology (i.e., are the targets consistent with state interests and policy goals?; the subject matter of social-engineering lures; coding language; level of sophistication (does the attacker need to be well-resourced? Did they use an expensive zero day?); and motive (is the attack bent on espionage, destruction, or financial gain?). There's also the issue of false-flag operations, where one adversary manipulates these levers to frame a rival or adversary.

"What is shocking to me is the idea of verifying that these attacks can be reasonably attributed to a state — how?" says Philippe Humeau, CEO and co-founder of CrowdSec. "It is well known that you can hardly track a decently skilled cybercriminal's base of operations, since air-gapping their operations is the first line of their playbook. Two, governments are not willing to actually admit they do provide cover for the cybercriminals in their countries. Three, cybercriminals in many parts of the world are usually some mix of corsairs and mercenaries, faithful to whatever entity/nation-state may be funding them, but totally expandable and deniable if there are ever questions about their affiliation."

That's why, absent a government taking responsibility for an attack a la terrorism groups, most threat-intelligence firms will caveat state-sponsored attribution with phrases like, "we determine with low/moderate/high confidence that XYZ is behind the attack," and, to boot, different firms may determine different sources for any given attack. If it's that difficult for professional cyber-threat-hunters to pin down the culprits, imagine how difficult it is for cyber-insurance adjusters operating with a fraction of the skills.

If the standard for proof of an act of war is wide governmental consensus, this also poses issues, Humeau says.

"Accurately attributing attacks to nation-states would require cross-country legal cooperation, which has historically proven to be both difficult and slow," says Humeau. "So the idea of attributing these attacks to nation-states who will never 'fess up to it leaves too much room for doubt, legally speaking."

**An Existential Threat to Cyber Insurance?**

To Thompson's point, one of the realities in today's environment is the sheer volume of state-sponsored cyber activity in circulation. Bryan Cunningham, attorney and advisory council member at data security company Theon Technology, notes that if more and more insurers simply deny all claims stemming from such activity, there could be very few payouts indeed. And, ultimately, companies may not see cyber-insurance premiums as worth it anymore.

"If a significant number of judges actually begin allowing carriers to exclude coverage for cyberattacks just upon a claim that a nation-state was involved, this will be as devastating to the cyber insurance ecosystem as 9/11 was (temporarily) to commercial real estate," he says. "As a result, I do not think many judges will buy this, and proof, in any event, will almost always be difficult."

In a different vein, Ilia Kolochenko, chief architect and CEO of ImmuniWeb, notes that the cybercriminals will find a way to use the exclusions to their advantage — undercutting the value of having a policy even further.

"The problem stems from a possible impersonation of well-known cyber-threat actors," he says. "For instance, if cybercriminals — unrelated to any state — wish to amplify the damage caused to their victims by excluding the eventual insurance coverage, they may simply try to impersonate a famous state-backed hacking group during their intrusion. This will undermine trust in the cyber-insurance market, as any insurance may become futile in the most serious cases that actually require the coverage and justify the premiums paid."

**The Question of Exclusions Remains Unsettled**

Even though the Mondelez-Zurich American settlement would seem to indicate that the insurer succeeded in at least partially making its point (or perhaps neither side had the stomach for incurring further legal costs), there is conflicting legal precedent.

Another NotPetya case between Merck and ACE American Insurance over the same issue was put to bed in January, when the Superior Court of New Jersey ruled that act of war exclusions only extend to real-world physical warfare, resulting in the underwriter paying up a heaping $1.4 billion serving of claims settlement.

Despite the unsettled nature of the area, some cyber-insurers are going forward with war exclusions, most notably Lloyd's of London. In August the market stalwart told its syndicates that they will be required to exclude coverage for state-backed cyberattacks beginning in April 2023. The idea, the memo noted, is to protect insurance companies and their underwriters from catastrophic loss.

Even so, success for such policies remains to be seen.

"Lloyd's, and other carriers, are working on making such exclusions stronger and absolute, but I think this, too, ultimately will fail because the cyber-insurance industry likely could not survive such changes for long," Theon's Cunningham says.

Oreo Giant Mondelez Settles NotPetya 'Act of War' Insurance Suit

The cybersecurity agency announced it intends to scan all Internet-connected devices hosted in the UK for known vulnerabilities.

The National Cyber Security Centre has announced a new program that intends to scan every Internet-connected system hosted in the UK for vulnerabilities in what it touts as an effort to both remediate threats and monitor the nation's exposure.

The data collected will also help the country respond quickly to widespread zero days, explained Dr. Ian Levy, technical director of NCSC, in a blog post announcing the new vulnerability scanning program. Dr. Levy also sought to reassure the public that the program will be fully transparent.

"We're not trying to find vulnerabilities in the UK for some other, nefarious purpose," he wrote about the NCSC scanning announcement. "We're beginning with simple scans, and will slowly increase the complexity of the scans, explaining what we're doing (and why we're doing it)."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NCSC Implements Vulnerability Scanning Program Across UK

Several artifacts from recent attacks strongly suggest a connection between the two operations, researchers say.

FIN7, a financially motivated cybercrime organization that is estimated to have stolen well over $1.2 billion since surfacing in 2012, is behind Black Basta, one of this year's most prolific ransomware families.

That's the conclusion of researchers at SentinelOne based on what they say are various similarities in the tactics, techniques, and procedures between the Black Basta campaign and previous FIN7 campaigns. Among them are similarities in a tool for evading endpoint detection and response (EDR) products; similarities in packers for packing Cobalt Strike beacon and a backdoor called Birddog; source code overlaps; and overlapping IP addresses and hosting infrastructure.

**A Collection of Custom Tools**

SentinelOne's investigation into Black Basta's activities also unearthed new information about the threat actor's attack methods and tools. For example, the researchers found that in many Black Basta attacks, the threat actors use a uniquely obfuscated version of the free command-line tool ADFind for gathering information about a victim's Active Directory environment.

They found Black Basta operators are exploiting last year's PrintNightmare vulnerability in Windows Print Spooler service (CVE-2021-34527) and the ZeroLogon flaw from 2020 in Windows Netlogon Remote Protocol (CVE-2020-1472) in many campaigns. Both vulnerabilities give attackers a way to gain administrative access on domain controllers. SentinelOne said it also observed Black Basta attacks leveraging "NoPac," an exploit that combines two critical Active Directory design flaws from last year (CVE-2021-42278 and CVE-2021-42287). Attackers can use the exploit to escalate privileges from that of a regular domain user all the way to domain administrator.

SentinelOne, which began tracking Black Basta in June, observed the infection chain beginning with the Qakbot Trojan-turned-malware dropper. Researchers found the threat actor using the backdoor to conduct reconnaissance on the victim network using a variety of tools including AdFind, two custom .Net assemblies, SoftPerfect's network scanner, and WMI. It's after that stage that the threat actor attempts to exploit the various Windows vulnerabilities to move laterally, escalate privileges, and eventually drop the ransomware. Trend Micro earlier this year identified the Qakbot group as selling access to compromised networks to Black Basta and other ransomware operators. 

"We assess it is highly likely the Black Basta ransomware operation has ties with FIN7," SentinelOne's SentinelLabs said in a blog post on Nov. 3. "Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7."

**Sophisticated Ransomware Threat**

The Black Basta ransomware operation surfaced in April 2022 and has claimed at least 90 victims through the end of September. Trend Micro has described the ransomware as having a sophisticated encryption routine that likely uses unique binaries for each of its victims. Many of its attacks have involved a double-extortion technique where the threat actors first exfiltrate sensitive data from a victim environment before encrypting it. 

In the third quarter of 2022, Black Basta ransomware infections accounted for 9% of all ransomware victims, putting it in second place behind LockBit, which continued by far to be the most prevalent ransomware threat — with a 35% share of all victims, according to data from Digital Shadows.

"Digital Shadows has observed the Black Basta ransomware operation targeting the industrial goods and services industry, including manufacturing, more than any other sector," says Nicole Hoffman, senior cyber-threat intelligence analyst, at Digital Shadows, a ReliaQuest company. "The construction and materials sector follows close behind as the second most targeted industry to date by the ransomware operation."

FIN7 has been a thorn in the side of the security industry for a decade. The group's initial attacks focused on credit and debit card data theft. But over the years, FIN7, which has also been tracked as the Carbanak Group and Cobalt Group, has diversified into other cybercrime operations as well, including most recently into the ransomware realm. Several vendors — including Digital Shadows — have suspected FIN7 of having links to multiple ransomware groups, including REvil, Ryuk, DarkSide, BlackMatter, and ALPHV. 

"So, it would not be surprising to see yet another potential association," this time with FIN7, Hoffman says. "However, it is important to note that linking two threat groups together does not always mean that one group is running the show. It is realistically possible the groups are working together."

According to SentinelLabs, some of the tools that the Black Basta operation uses in its attacks suggest that FIN7 is attempting to disassociate its new ransomware activity from the old. One such tool is a custom defense-evasion and impairment tool that appears to have been written by a FIN7 developer and has not been observed in any other ransomware operation, SentinelOne said.

Source

DARKReading